b"Audit Report\n\n\n\n\nOIG-14-048\nTERRORIST FINANCING/MONEY LAUNDERING: FinCEN\nCompleted the BSA IT Modernization Program Within Budget and\nSchedule\nSeptember 17, 2014\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0cThis Page Intentionally Left Blank.\n\x0cContents\n\nAudit Report\n\n  Audit Results..............................................................................................    3\n\n      BSA IT Mod Program Development Was Completed within Budget and on\n      Schedule ...............................................................................................   3\n\n          BSA IT Mod Completed within Budgeted Costs .....................................                       3\n          BSA IT Mod Program Development Finished on Schedule .......................                            4\n          BSA IT Mod Transitioned to Operations and Maintenance .......................                          5\n          Financial Intelligence Repository Is Operational But\n            Needs Enhancements ......................................................................            6\n          BSA IT Mod Is Meeting External User Needs .........................................                    7\n          FinCEN and Treasury OCIO Oversight Continued ...................................                       8\n          Status of Prior BSA IT Mod Issues .......................................................              9\n\n  Conclusion ................................................................................................. 10\n\nAppendices\n\n  Appendix     1:      Objectives, Scope, and Methodology ......................................                 11\n  Appendix     2:      Additional Background Information on BSA IT Mod ..................                        14\n  Appendix     3:      Management Response .........................................................             21\n  Appendix     4:      Major Contributors to this Report ...........................................             22\n  Appendix     5:      Report Distribution ...............................................................       23\n\nAbbreviations\n\n  BSA                  Bank Secrecy Act\n  BSA IT Mod           BSA Information Technology Modernization Program\n  FinCEN               Financial Crimes Enforcement Network\n  FIR                  Financial Intelligence Repository\n  IRS                  Internal Revenue Service\n  IT                   Information Technology\n  MITRE                MITRE Corporation\n  OCIO                 Office of the Chief Information Officer\n  OIG                  Office of Inspector General\n  TEOAF                Treasury Executive Office for Asset Forfeiture\n\n\n\n                       FinCEN Completed the BSA IT Modernization Program Within                              Page i\n                       Budget and Schedule (OIG-14-048)\n\x0c    This Page Intentionally Left Blank.\n\n\n\n\nFinCEN Completed the BSA IT Modernization Program Within   Page ii\nBudget and Schedule (OIG-14-048)\n\x0c                                                                                    Audit\nOIG\nThe Department of the Treasury\n                                                                                    Report\nOffice of Inspector General\n\n\n\n\n                        September 17, 2014\n\n                        Jennifer Shasky Calvery, Director\n                        Financial Crimes Enforcement Network\n\n                        In 2011, Congress directed our office to report on the\n                        planning and implementation of the Bank Secrecy Act (BSA)\n                        Information Technology Modernization (BSA IT Mod) by the\n                        Financial Crimes Enforcement Network (FinCEN). Since that\n                        time, as directed, we have provided semi-annual reports on\n                        the progress of this 4-year, $120 million effort to modernize\n                        the collection and analysis of BSA data to support Federal,\n                        state, and local agencies engaged in identifying money\n                        laundering, terrorist financing, tax evasion, and\n                        vulnerabilities in the financial industry. 1 This report is the\n                        sixth and final report on FinCEN\xe2\x80\x99s design and implementation\n                        of BSA IT Mod. 2\n\n                        Consistent with the Congressional directive, the objectives\n                        of the audit were to determine if FinCEN was (1) meeting\n                        cost, schedule, and performance benchmarks for the\n                        program and (2) providing appropriate oversight of\n                        contractors. We also assessed any deviations from FinCEN\xe2\x80\x99s\n                        plan. The period covered by this audit was January through\n                        June 2014. We interviewed FinCEN program officials, the\n\n\n1\n    House Report (H. Rept.) 112-331 directed our office to report on BSA IT Mod, including\n    contractor oversight and progress regarding budget and schedule, semiannually.\n2\n    Our prior five reports issued under the Congressional directive are: FinCEN\xe2\x80\x99s BSA IT\n    Modernization Program Is on Schedule and Within Cost But Requires Continued Attention to\n    Ensure Successful Completion (OIG-12-047; Mar. 26, 2012); FinCEN\xe2\x80\x99s BSA IT Modernization\n    Program Is Meeting Milestones, But Oversight Remains Crucial (OIG-12-077; Sep. 27, 2012);\n    FinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with Schedule Extensions\n    (OIG-13-036; Mar. 28, 2013); FinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget\n    and on Schedule But Users Suggest Enhancements (OIG-13-053; Sep. 25, 2013); and\n    FinCEN\xe2\x80\x99s BSA IT Modernization Program is on Budget, on Schedule and Close to Completion\n    (OIG-14-029; Mar. 25, 2014).\n\n\n\n                        FinCEN Completed the BSA IT Modernization Program Within                Page 1\n                        Budget and Schedule (OIG-14-048)\n\x0c                          Department of the Treasury\xe2\x80\x98s (Treasury) Office of Chief\n                          Information Officer (OCIO) officials, and BSA IT Mod system\n                          users from various components within the Department of\n                          Justice. We interviewed representatives from Deloitte\n                          Consulting, LLP (Deloitte), and MITRE Corporation (MITRE),\n                          the contractors involved with developing the program. 3\n                          Additionally, we interviewed the contractors who support\n                          the program\xe2\x80\x99s operations and maintenance. We also\n                          reviewed applicable program documentation. We performed\n                          our fieldwork from April 2014 through July 2014. Appendix\n                          1 provides a more detailed description of our audit\n                          objectives, scope, and methodology. Appendix 2 provides\n                          additional background information on BSA IT Mod, including\n                          its component projects.\n\n                          In brief, we found that FinCEN completed BSA IT Mod\n                          development in March 2014, within the $120 million\n                          budgeted for the program and within the planned 4-year\n                          schedule. During this audit period, FinCEN completed BSA IT\n                          Mod\xe2\x80\x99s final milestone project, the second phase of Release 2\n                          of the Broker Information Exchange. Additionally, BSA IT\n                          Mod transitioned from the development phase to the\n                          operation and maintenance phase. Although the development\n                          phase was completed, FinCEN is working on certain\n                          necessary enhancements to BSA Mod IT.\n\n                          We are making no recommendations in this report. Because\n                          BSA IT Mod is critical to both FinCEN\xe2\x80\x99s mission as well as to\n                          Federal, state, and local stakeholders, as part of the Office\n                          of Inspector General annual planning process, we will\n                          continue to monitor FinCEN\xe2\x80\x99s efforts as the program\n                          progresses through the operations and maintenance phase.\n\n\n\n\n3\n    FinCEN contracted with Deloitte to oversee the systems development and integration effort.\n    Deloitte was the prime contractor in the BSA IT Mod effort. FinCEN also engaged MITRE as a\n    subject matter expert on program and project management and BSA IT Mod business\n    capabilities. MITRE is a not-for-profit organization chartered to work in the public interest with\n    expertise in systems engineering, information technology, operational concepts, and enterprise\n    modernization. See appendix 2 for additional detail about FinCEN\xe2\x80\x99s BSA IT Mod contracts.\n\n\n\n                          FinCEN Completed the BSA IT Modernization Program Within                       Page 2\n                          Budget and Schedule (OIG-14-048)\n\x0c                        In its management response, which is provided in\n                        appendix 3, FinCEN acknowledged our conclusion that the\n                        BSA IT Mod program was completed within budget and on\n                        schedule. FinCEN also stated it will continue to engage its\n                        stakeholders to gather feedback, prioritize efforts, and\n                        address user needs throughout the operations and\n                        maintenance phase.\n\nAudit Results\n\n                        BSA IT Mod Program Development Was Completed\n                        within Budget and on Schedule\n\n                        BSA IT Mod Completed within Budgeted Costs\n\n                        FinCEN completed the final milestone project in March 2014\n                        and spent $111.3 million developing BSA IT Mod from its\n                        overall $120 million, 4-year planned budget. 4 A breakdown\n                        by category of the costs incurred during the 4-year\n                        development is provided below.\n\n                         Table 1: BSA IT Mod Development Costs at Completion (in millions)\n                         Category                                                                          Amount\n                            Hardware and Software                                                           $12.0\n                            Contractor Services                                                              46.4\n                            Other1                                                                           15.9\n                            Operations and Maintenance                                                       37.0\n                           Total                                                                           $111.3\n                         Source: OIG analysis of FinCEN data.\n                         1\n                             Other costs are comprised of (1) program management and program engineering\n                             performed by contractors including Deloitte and MITRE and (2) a 4 percent fee by the\n                             Department of the Interior\xe2\x80\x99s National Business Center Acquisition Services Directorate\n                             for contract support.\n\n\n                        FinCEN funded BSA IT Mod development through its annual\n                        Congressional appropriations and supplemental funding from\n                        the Treasury Forfeiture Fund administered by the Treasury\n\n\n4\n    Prior to the Office of Management and Budget\xe2\x80\x99s approval of the $120 million development\n    budget for BSA IT Mod, FinCEN spent $11.2 million in planning. Additionally, FinCEN\n    estimated that $6.6 million was incurred in staffing costs related to the program during the 4-\n    year development of the program. These costs are not reflected in Table 1.\n\n\n\n                        FinCEN Completed the BSA IT Modernization Program Within                                      Page 3\n                        Budget and Schedule (OIG-14-048)\n\x0c                        Executive Office for Asset Forfeiture (TEOAF). 5 Appendix 2\n                        provides detail on funding source by year.\n\n                        BSA IT Mod Program Development Finished on Schedule\n\n                        FinCEN completed all BSA IT Mod project milestones for\n                        building the foundation for modernized BSA data collection,\n                        storage, sharing, and analysis. During the audit period,\n                        FinCEN completed the final milestone project \xe2\x80\x94 the second\n                        phase of Release 2 of the Broker Information Exchange.\n                        Appendix 2 provides the status of BSA IT Mod by project.\n\n                        FinCEN, contractors, and OCIO officials told us that BSA IT\n                        Mod was successfully developed, that it met its originally\n                        planned functionality, and that it was performing well\n                        without any significant issues. Additionally, there have been\n                        no reductions in the program\xe2\x80\x99s scope or deferments of\n                        critical functionality.\n\n                        During the audit period, FinCEN conducted performance\n                        testing through government acceptance testing. 6 FinCEN\n                        tested the final milestone project, the second phase of\n                        Release 2 of the Broker Information Exchange, as well as all\n                        system changes and releases done as part of operations and\n                        maintenance. FinCEN considered all remaining open defects\n                        manageable and of low severity, meaning that the defects\n\n\n5\n    TEOAF provided funding for BSA IT Mod consistent with its authority to provide funds for\n    law enforcement-related expenditures. The Treasury Forfeiture Fund, which is the receipt\n    account for the deposit of non-tax forfeitures resulting from law enforcement actions by\n    participating Treasury and Department of Homeland Security agencies. The Treasury\n    Forfeiture Fund was established under 31 U.S.C. \xc2\xa7 9703. The Fund can provide money to\n    other Federal entities to accomplish specific objectives for which the recipient entities are\n    authorized to spend money and toward other authorized expenses. Distributions from the\n    Fund in excess of $500,000 cannot be used until the Appropriations Committees from both\n    houses of Congress are notified. TEOAF submits its planned release of funds to Congress\n    annually. Those submissions through fiscal year 2012 included the funding provided for the\n    BSA IT Mod program.\n6\n    Government acceptance testing is the Government\xe2\x80\x99s opportunity to validate that the users\xe2\x80\x99\n    requirements were met. This includes testing functionality, system usability, permissions and\n    security, compatibility testing, and traceability to business requirements through test script\n    execution, demonstrations, and inspections. Performance and response time are also\n    observed.\n\n\n\n                        FinCEN Completed the BSA IT Modernization Program Within                     Page 4\n                        Budget and Schedule (OIG-14-048)\n\x0c                        would not significantly impair program performance or\n                        functionality. FinCEN planned to continue to address\n                        remaining open defects as part of its ongoing production\n                        releases and system upgrades during the operations and\n                        maintenance phase. 7\n\n                        During the audit period, FinCEN\xe2\x80\x99s operations and\n                        maintenance activities were primarily focused on upgrading\n                        BSA IT Mod\xe2\x80\x99s software applications and hardware rather\n                        than addressing defects and users\xe2\x80\x99 requests for change and\n                        enhancements. These activities included upgrades to FinCEN\n                        Query\xe2\x80\x99s search engine software and hardware upgrades to E-\n                        filing servers to handle anticipated electronic filing increases.\n                        FinCEN also worked to improve BSA IT Mod testing\n                        environments. 8 FinCEN program officials told us that the\n                        decision to focus principally on hardware and software\n                        upgrades was planned to allow the new operations and\n                        maintenance contractor, Northrop Grumman, time to become\n                        more familiar with BSA IT Mod\xe2\x80\x99s programing before\n                        addressing defects or users\xe2\x80\x99 requests for change and\n                        enhancements.\n\n                        BSA IT Mod Transitioned to Operations and Maintenance\n\n                        With the completion of the final milestone project, BSA IT\n                        Mod transitioned from the development phase to the\n                        operations and maintenance phase. FinCEN will fund the\n                        operations and maintenance each year through its annual\n                        Congressional appropriations. FinCEN\xe2\x80\x99s fiscal year 2014\n                        budget included $25.7 million to fund BSA IT Mod\xe2\x80\x99s\n                        remaining development project and operations and\n\n\n\n\n7\n    FinCEN logs and prioritizes all defects, requests for change and enhancements, as well as\n    necessary fixes to repair system functionality. As of June 30, 2014, FinCEN had 194\n    requests for change and enhancements and 313 open defects, which FinCEN plans to\n    address in operations and maintenance regularly scheduled upgrades.\n8\n    The testing and system environments should be mirror images of each other so that the\n    effects of a programing change can be observed first, in the test environment, without\n    impacting users operating in the system environment.\n\n\n\n                        FinCEN Completed the BSA IT Modernization Program Within                Page 5\n                        Budget and Schedule (OIG-14-048)\n\x0c                         maintenance. For fiscal year 2015, FinCEN anticipates $27.6\n                         million will be needed to fund operations and maintenance. 9\n\n                         FinCEN\xe2\x80\x99s program management told us that no significant\n                         future development work was planned for BSA IT Mod and\n                         that the level of funding for operations and maintenance\n                         should be sufficient to address remaining open defects as\n                         well as make minor enhancements and address requests for\n                         change. The estimated service life of BSA IT Mod was 10\n                         years; however, with the program\xe2\x80\x99s foundation now in place,\n                         FinCEN expects the investment\xe2\x80\x99s lifecycle to last beyond 10\n                         years.\n\n                         Financial Intelligence Repository Is Operational But Needs\n                         Enhancements\n\n                         FinCEN converted investigative and enforcement cases from\n                         their existing case management system to the Financial\n                         Intelligence Repository (FIR) as part of the Broker Information\n                         Exchange project. 10 However, FinCEN continued using an\n                         existing system, FinDB, for \xe2\x80\x9c314a\xe2\x80\x9d cases because FIR could\n                         not interact with the Secure Information Sharing System. 11\n                         FinCEN plans to resolve this as part of an operations and\n                         maintenance effort scheduled for October 2014. According\n                         to FinCEN, MITRE, and Deloitte officials, the Broker\n                         Information Exchange project\xe2\x80\x99s original plan included building\n                         the foundation and establishing core functionality for case\n                         creation and storage, and that this core functionality was\n                         successfully accomplished.\n\n                         During the audit period, FIR also experienced performance\n                         issues with its responsiveness, including inability to open\n\n9\n     These dollar amounts for fiscal years 2014 and 2015 include FTE costs.\n10\n     Appendix 2 has more detail on the Broker Information Exchange project including a listing of\n     the case types converted.\n11\n     \xe2\x80\x9c314a\xe2\x80\x9d refers to section 314a of the USA PATRIOT Act. This section of the act provides\n     authority for law enforcement agencies to submit requests through FinCEN to financial\n     institutions for information about financial accounts and transactions of persons or\n     businesses that may be involved in terrorism or money laundering. FinCEN\xe2\x80\x99s Secure\n     Information Sharing System, which is separate from BSA IT Mod, allows financial institutions\n     to receive and transmit information on 314a requests.\n\n\n\n                         FinCEN Completed the BSA IT Modernization Program Within                   Page 6\n                         Budget and Schedule (OIG-14-048)\n\x0c                         documents and interface with FinCEN Query. 12 FinCEN\n                         officials told us that they considered these performance\n                         issues to be serious and that the issues were addressed\n                         outside of the normal release schedule. FinCEN officials also\n                         told us that they planned to resolve the remaining FIR\n                         performance issues and address users\xe2\x80\x99 requests for change\n                         in future operations and maintenance releases. Additionally,\n                         FinCEN did not complete all work to update the FIR test\n                         environment; FinCEN officials said that this matter would be\n                         resolved in the next release of FIR scheduled for the end of\n                         September 2014.\n\n                         BSA IT Mod Is Meeting External User Needs\n\n                         As of June 30, 2014, approximately 11,000 users had\n                         performed approximately 7.2 million data queries since\n                         FinCEN Query went live in September 2012. FinCEN\n                         program officials told us that they had not heard of any\n                         significant user complaints or issues. We found most calls to\n                         the FinCEN Helpdesk were non-performance related, such as\n                         password and login resets, or instructions on how to\n                         complete E-filing forms.\n\n                         In a previous report, we discussed the feedback we received\n                         from external users of FinCEN Query on their experience\n                         with the tool; that feedback was generally positive. We also\n                         noted in the report that we had not yet obtained feedback\n                         from DOJ users. During this audit period, we interviewed a\n                         number of DOJ users; as a whole, they were also positive\n                         about FinCEN Query and told us that it was meeting their\n                         business needs. Overall, they said that the system performed\n                         well, was responsive, and that the quality of the data was\n                         satisfactory.\n\n\n\n\n12\n     FinCEN Query is a tool designed to improve authorized users\xe2\x80\x99 ability to access and analyze\n     BSA data. The tool supports traditional structured BSA data queries, and provides narrative\n     search capabilities and options to coordinate and collaborate with users on queries\n     performed.\n\n\n\n                         FinCEN Completed the BSA IT Modernization Program Within                  Page 7\n                         Budget and Schedule (OIG-14-048)\n\x0cFinCEN and Treasury OCIO Oversight Continued\n\nDuring the audit period, FinCEN maintained the same level of\noversight over the contractors as in our previous audit.\nFinCEN program officials told us that the transition of the\noperations and maintenance contract from Deloitte to\nNorthrup Grumman had gone well, as did the infrastructure\ncontract transition from Deloitte to NavStar.\n\nMITRE representatives told us that they believed FinCEN was\nsuccessfully managing the program and they had not seen\nany adverse effects from MITRE\xe2\x80\x99s reduced involvement in\nthe program. Additionally, FinCEN, MITRE, and Deloitte\nofficials told us that they were confident in Northrup\nGrumman\xe2\x80\x99s ability to maintain BSA IT Mod in the operations\nand maintenance phase.\n\nIn our previous audit, we found Treasury OCIO\xe2\x80\x99s monitoring\nof the BSA IT Mod program appropriate given the overall\npositive track record on this development effort. During this\naudit, we found Treasury OCIO continued to monitor\nFinCEN\xe2\x80\x99s monthly data submissions and post-implementation\nreviews to identify potential issues, and performed macro-\nlevel reviews including trend analysis.\n\nTreasury OCIO officials told us that BSA IT Mod was\nperforming well and that they knew of no significant\nperformance issues or user complaints. They were also\nsatisfied with FinCEN\xe2\x80\x99s management of the program and\nbelieve that FinCEN\xe2\x80\x99s oversight of the program and\ncontractors had gone well. OCIO officials told us that, as a\nwhole, BSA IT Mod was successful and attributed the\nsuccess to FinCEN\xe2\x80\x99s program management personnel. They\nalso believed that FinCEN will successfully administer BSA IT\nMod in the operations and maintenance phase.\n\nOCIO plans to continue to monitor the BSA IT Mod program\nin the operations and maintenance phase using operational\n\n\n\n\nFinCEN Completed the BSA IT Modernization Program Within        Page 8\nBudget and Schedule (OIG-14-048)\n\x0c                        metrics 13 and by conducting annual operational analyses. 14\n                        Treasury OCIO did not know of any additional production\n                        capabilities planned for BSA IT Mod at the time of the audit,\n                        but told us that any development expected to exceed 90\n                        days or $200,000 would require FinCEN to report to OCIO in\n                        the same manner as a milestone project.\n\n                        As planned, FinCEN ended external BSA IT Mod governance\n                        through the discontinuance of the Modernization Executive\n                        Group and Executive Steering Committee in April 2014. 15\n                        Treasury OCIO officials said that they had no concerns over\n                        this action since the program development was completed.\n\n                        We believe that the oversight by FinCEN management and\n                        Treasury OCIO during the audit period was appropriate given\n                        the overall positive track record by FinCEN in managing its\n                        BSA IT Mod development effort.\n\n                        Status of Prior BSA IT Mod Issues\n\n                        In our last report, we recommended that FinCEN continue to\n                        work with users to address users\xe2\x80\x99 requests for training and\n                        enhancements. During this audit period, FinCEN continued to\n                        work through the Data Management Council (DMC) to\n                        address and prioritize user issues, including soliciting\n                        feedback on the prioritization of system defects, requests for\n                        change, and enhancements; briefing users on the content of\n                        operation and maintenance releases and system issues; and\n                        providing training and resource information.\n\n\n13\n     Examples of operational metrics captured by FinCEN include the average number of hours\n     from receipt of BSA data to availability in FinCEN Query and the percent of customers who\n     report overall satisfaction with the use of FinCEN Query.\n14\n     The Office of Management and Budget (OMB) directs agencies to periodically examine the\n     performance of IT investments against, among other things, established cost, schedule, and\n     performance goals. Specifically, OMB calls for agencies to perform annual operational\n     analyses, which are a key method for examining the performance of such investments.\n     Operational analysis will include trend analysis to measure if the system is performing as\n     intended in production.\n15\n     The Treasury CIO was a member of both the BSA IT Mod Modernization Executive Group and\n     Executive Steering Committee. These governance bodies met on a quarterly basis or when a\n     major decision or approval was sought for BSA IT Mod.\n\n\n\n                        FinCEN Completed the BSA IT Modernization Program Within                  Page 9\n                        Budget and Schedule (OIG-14-048)\n\x0c             We also recommended in our last report that FinCEN make\n             agencies aware of the process to contact FinCEN if misuse\n             of BSA data is suspected. During this audit period, FinCEN\n             notified DMC members about the process. FinCEN program\n             officials told us that FinCEN continued to develop its own\n             program to monitor the use of BSA data. Currently, FinCEN\xe2\x80\x99s\n             Liaison Division was working with all BSA IT Mod user\n             agencies on establishing Memoranda of Understandings\n             addressing the monitoring process that will be used, and\n             FinCEN plans to hire a consultant to review its inspection\n             program.\n\nConclusion\n             This report is our sixth and final on the status of FinCEN\xe2\x80\x99s\n             development of BSA IT Mod. All development milestone\n             projects were completed, and the overall program was\n             completed within schedule and within budget. Going\n             forward, FinCEN will need to address the remaining program\n             defects, users' requests for change and enhancements,\n             training, and FIR\xe2\x80\x99s functionality. We plan to monitor and\n             assess FinCEN\xe2\x80\x99s efforts in these areas in future audits.\n\n                                             ******\n\n             We appreciate the cooperation and courtesies extended to\n             our staff during the audit. If you wish to discuss the report,\n             you may contact me at (617) 223-8638 or Mark Ossinger,\n             Audit Manager, at (617) 223-8643. Major contributors to\n             this report are listed in appendix 4.\n\n             /s/\n             Sharon Torosian\n             Audit Director\n\n\n\n\n             FinCEN Completed the BSA IT Modernization Program Within         Page 10\n             Budget and Schedule (OIG-14-048)\n\x0cAppendix 1\nObjectives, Scope, and Methodology\n\n\n\n\nPursuant to a Congressional directive, this is the sixth and final in a\nseries of audits of the Financial Crimes Enforcement Network's\n(FinCEN) Bank Secrecy Act (BSA) Information Technology\nModernization Program (BSA IT Mod). Our objective was to\ndetermine if FinCEN is (1) meeting cost, schedule, and performance\nbenchmarks for this program and (2) providing appropriate\noversight of contractors. In addition, we evaluated any deviations\nfrom FinCEN\xe2\x80\x99s plan. We determined the status of the program\xe2\x80\x99s\ncost, schedule, and performance through June 30, 2014.\n\nTo accomplish our objective, we interviewed officials with FinCEN,\nthe Department of the Treasury\xe2\x80\x99s Office of the Chief Information\nOfficer (OCIO), and FinCEN\xe2\x80\x99s contractors. We also interviewed BSA\nIT Mod users from various Department of Justice (DOJ) component\nagencies. In addition, we reviewed applicable program\ndocumentation. We performed our fieldwork from April 2014\nthrough July 2014.\n\nAt FinCEN, we interviewed:\n\n\xe2\x80\xa2   The Chief Information Officer (CIO), Chief Technology Officer\n    (CTO), and BSA IT Mod Program Manager to obtain an update\n    on BSA IT Mod, cost and schedule concerns, project testing\n    conducted and defect resolution, strategies employed, and\n    overall progress of the program.\n\n\xe2\x80\xa2   The BSA IT Mod project managers, project leaders, and\n    contracting officer\xe2\x80\x99s representatives to obtain an understanding\n    of their perspective, level of involvement, schedule and\n    performance concerns, and overall progress of their respective\n    projects.\n\nExternal to FinCEN, we interviewed the following officials:\n\n\xe2\x80\xa2   Deloitte Consulting LLP\xe2\x80\x99s Managing Director and Deloitte\xe2\x80\x99s\n    Program Manager for BSA IT Mod to obtain an update on their\n    perspective of BSA IT Mod and ascertain the program\xe2\x80\x99s status.\n\n\xe2\x80\xa2   Northrup Grumman\xe2\x80\x99s on-site Program Manager for BSA IT Mod\n    to obtain an update on his perspective of BSA IT Mod and\n    ascertain the program\xe2\x80\x99s status.\n\nFinCEN Completed the BSA IT Modernization Program Within        Page 11\nBudget and Schedule (OIG-14-048)\n\x0c                         Appendix 1\n                         Objectives, Scope, and Methodology\n\n\n\n\n                         \xe2\x80\xa2   NavStar\xe2\x80\x99s Executive Manager and on-site Program Manager for\n                             BSA IT Mod to obtain an update on their perspective of BSA IT\n                             Mod and ascertain the program\xe2\x80\x99s status.\n\n                         \xe2\x80\xa2   Total Systems Technologies Corporation Director for BSA IT\n                             Mod to obtain an update on her perspective of BSA IT Mod and\n                             ascertain the program\xe2\x80\x99s status.\n\n                         \xe2\x80\xa2   MITRE representatives to obtain an update of MITRE\xe2\x80\x99s role as\n                             the Federally funded research and development contractor, its\n                             level of involvement with the program, as well as issues,\n                             concerns, and other significant matters observed.\n                         \xe2\x80\xa2   The Treasury OCIO\xe2\x80\x99s Director of IT Capital Planning for an\n                             update on OCIO\xe2\x80\x99s role in overseeing BSA IT Mod, as well as\n                             issues, concerns, and other significant matters.\n                         External to the program:\n                          \xe2\x80\xa2 We interviewed 16 BSA IT Mod users from 6 agencies within\n                            DOJ to determine their level of satisfaction with FinCEN Query.\n                            The individuals we interviewed were frequent users of FinCEN\n                            Query as identified by DOJ and FinCEN documentation.\n                         We reviewed FinCEN program-related information, including:\n                         management reports; minutes from executive, management, and\n                         technical meetings; planning documentation; program and project-\n                         level documentation, including the results of a 2014 BSA E-filing\n                         customer satisfaction survey; 16 FinCEN\xe2\x80\x99s Program Management\n                         system which contained defect and requests for change tickets;\n                         FinCEN helpdesk log; FinCEN user training plans; FinCEN system\n                         performance metrics; and FinCEN presentations to internal and\n                         external oversight groups (e.g., Congress, Office of Management\n                         and Budget, Treasury OCIO, BSA IT Modernization Executive Group\n                         and Executive Steering Committee, and FinCEN management).\n\n\n\n16\n     The survey was conducted by a FinCEN contractor. FinCEN provided a contractor with 50,865 e-mail\n     addresses of BSA E-Filing users. The contractor sent the survey to these users in March 2014. The\n     contractor received 5,795 responses, yielding an 11 percent response rate. FinCEN and the\n     contractor developed the survey questionnaire to measure overall satisfaction with the BSA E-filing\n     system, including the reasons for the respondents\xe2\x80\x99 satisfaction. The survey resulted in a satisfaction\n     score that was above the average score for other Federal agency programs.\n\n\n\n                         FinCEN Completed the BSA IT Modernization Program Within                  Page 12\n                         Budget and Schedule (OIG-14-048)\n\x0cAppendix 1\nObjectives, Scope, and Methodology\n\n\n\n\nTo substantiate that performance testing had occurred on BSA IT\nMod, we interviewed FinCEN officials involved with BSA IT Mod\ngovernment acceptance testing and reviewed testing-related\ndocumentation, including testing plans and status reports. We\nobserved that any testing defects and issues identified during\ntesting were recorded in FinCEN\xe2\x80\x99s project management and issues\ntracking system.\n\nWe conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require\nthat we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\n\n\n\nFinCEN Completed the BSA IT Modernization Program Within      Page 13\nBudget and Schedule (OIG-14-048)\n\x0c                             Appendix 2\n                             Additional Background Information on BSA IT Mod\n\n\n\n\n                             The Financial Crimes Enforcement Network\xe2\x80\x99s (FinCEN) efforts to\n                             establish a system to manage and house Bank Secrecy Act (BSA)\n                             data has been an extensive process. Planning of the BSA\n                             Information Technology Modernization (BSA IT Mod) program\n                             began after an earlier attempt to establish a similar program\n                             failed. 17 Figure 1 provides a timeline of significant events in the\n                             BSA IT Mod program.\n\n Figure 1. Timeline of Significant Events in FinCEN\xe2\x80\x99s BSA System Modernization Efforts\n\n                         January 2007 \xe2\x80\x93\n                        December 2009                                             January 2012              March 2014\n      July 2006       FinCEN developed IT                May 2010           FinCEN transitioned the     FinCEN completed\n        FinCEN        governance process,                Design and          collection, processing,    all planned system\n      terminated      stakeholders\xe2\x80\x99 needs,              development         and storage of all BSA          development\n      BSA Direct       and business case                phase started             data from IRS              milestones\n\n\n 2006          2007           2008       2009           2010         2011          2012          2013        2014\n\n\n        November 2006                 January 2009             June 2011         November 2012           March 2013\n     FinCEN established IT                Program                FinCEN              FinCEN             FinCEN adjusts\n     modernization, vision             initiation and           realigned         completed roll        schedule of the\n      and strategy and set            planning phase            costs and         out of FinCEN              Broker\n         modernization                of BSA IT Mod              adjusts         Query to 7,500           Information\n           foundation                      started              schedule              users                Exchange\n                                                                                                             Project\n\n Source: OIG review of FinCEN data.\n\n\n\n\n17\n     FinCEN terminated BSA Direct Retrieval and Sharing after concluding the project had no guarantee of success.\n     We reviewed that failure and found that FinCEN poorly managed the predecessor project, insufficiently defined\n     functional and user requirements, misjudged project complexity, and established an unrealistic completion date.\n     We also found that the Treasury OCIO did not actively oversee the project, as required by the Clinger-Cohen Act\n     of 1996. Treasury Office of Inspector General (OIG), The Failed and Costly BSA Direct R&S System\n     Development Effort Provides Important Lessons for FinCEN\xe2\x80\x99s BSA Modernization Program (OIG-11-057; Jan. 5,\n     2011).\n\n\n\n                             FinCEN Completed the BSA IT Modernization Program Within                            Page 14\n                             Budget and Schedule (OIG-14-048)\n\x0cAppendix 2\nAdditional Background Information on BSA IT Mod\n\n\n\n\nProjects Included\n\nBSA IT Mod is made up of multiple projects with specific\ncomponents. The projects are summarized below. All projects were\ncompleted as of March 28, 2014.\n\n\xe2\x80\xa2   System of Record (SOR) provides data storage and architecture\n    for BSA data for 11 years of BSA data.\n\n\xe2\x80\xa2   Shared Filing Services provides for validation of BSA data with\n    external data sources, such as validation of addresses to U.S.\n    Postal Service data.\n\n\xe2\x80\xa2   Third Party Data provides the SOR additional BSA data through\n    external data sources such as the financial institution\n    identification number assigned by the Federal Reserve System.\n\n\xe2\x80\xa2   Bulk Data Dissemination is used for the distribution of large\n    quantities of BSA data to external users.\n\n\xe2\x80\xa2   Data Conversion converted 11 years of BSA data from an\n    Internal Revenue Service legacy system to FinCEN\xe2\x80\x99s new SOR.\n\n\xe2\x80\xa2   BSA E-Filing is used by BSA filers to submit all required\n    electronic filing of BSA forms to FinCEN.\n\n\xe2\x80\xa2   FinCEN Query is a tool designed to improve authorized users\xe2\x80\x99\n    ability to access and analyze BSA data. The tool is used by\n    FinCEN internal users and by registered external users and\n    customers to retrieve and analyze BSA data. The tool supports\n    traditional structured BSA data queries, and provides narrative\n    search capabilities and options to coordinate and collaborate\n    with users on queries performed.\n\n\xe2\x80\xa2   Advanced Analytics provides complex search and retrieval\n    functionality for FinCEN internal users to support their\n    analytical, law enforcement, and regulatory activities. The tool\n    provides advanced analytical capabilities such as geospatial,\n    statistical analysis, social networking, semantic interchange,\n    and visualization capabilities.\n\n\n\nFinCEN Completed the BSA IT Modernization Program Within        Page 15\nBudget and Schedule (OIG-14-048)\n\x0c                        Appendix 2\n                        Additional Background Information on BSA IT Mod\n\n\n\n\n                        \xe2\x80\xa2   Register User Portal/Identity Management/Access Control\n                            Management provides the means for common user interface and\n                            authentication process through which both internal and external\n                            authorized users gain access to all BSA IT Mod applications.\n\n                        \xe2\x80\xa2   Infrastructure provided the design, development, procurement,\n                            and implementation of the development and test environments,\n                            storage area network(s), and disaster recovery capabilities\n                            required to support BSA IT Mod projects.\n\n                        \xe2\x80\xa2   Broker Information Exchange provides the Financial Intelligence\n                            Repository (FIR), which includes 314a and 314b components.\n                            The FIR replaces FinCEN\xe2\x80\x99s case management systems\xe2\x80\x94FinDB\n                            for investigative cases, and the Customer Management System\n                            and other systems for compliance, enforcement, and outreach\n                            cases. The first release created FIR and incorporated SharePoint\n                            (a Microsoft software application for sharing information) as a\n                            mechanism to share case information for both internal and\n                            external users. The 314a component allows law enforcement\n                            agencies to submit requests through FinCEN to financial\n                            institutions for information about financial accounts and\n                            transactions of persons or businesses that may be involved in\n                            terrorism or money laundering. The 314b component allows\n                            financial institutions to share information with one another\n                            through FinCEN to identify and report suspicious money\n                            laundering or terrorist activities to the federal government. 314a\n                            and 314b refer to Section 314 of the USA Patriot Act that\n                            requires FinCEN to establish these functionalities. 18\n\n                        \xe2\x80\xa2   Alerts provides for an automatic alert to be sent to FinCEN\n                            analysts about suspicious activities reported by filers based on\n                            pre-defined criteria.\n\n                        As of June 30, 2014, all BSA IT Mod component projects are\n                        completed. Table 1 displays the status of BSA IT Mod by project.\n\n\n\n\n18\n     Section 314 of the USA Patriot Act is established under 31 U.S.C. \xc2\xa7 5311.\n\n\n\n                        FinCEN Completed the BSA IT Modernization Program Within       Page 16\n                        Budget and Schedule (OIG-14-048)\n\x0c                    Appendix 2\n                    Additional Background Information on BSA IT Mod\n\n\n\n\nTable 1. BSA IT Mod Project Schedule Status at June 30, 2014\n                                 Planned            Revised Planned     Actual         Project\n                                 Completion         Completion          Completion     Status at\n                                 Date at May        Date at June        Date at June   June\nProject                          20101              20112               2014           2014\nSOR\n      Release 1                  9/30/2011          12/1/2011           12/15/2011     Complete\n      Release 2                  6/30/2012          7/1/2012            10/16/2012     Complete\nShared Filing Services\n      Release 1                  9/30/2011          12/1/2011           12/15/2011     Complete\n      Release 2                  6/30/2012          7/1/2012            10/16/2012     Complete\nThird Party Data\n      Release 1                  9/30/2011          12/1/2011           12/15/2011     Complete\n      Release 2                  6/30/2012          7/1/2012            10/16/2012     Complete\nData Conversion                  12/31/2011         1/1/2012            1/6/2012       Complete\nE-Filing\n      Release 1                  6/30/2011          7/1/2011            7/1/2011       Complete\n      Release 2                  10/31/2011         7/1/2012            7/31/2012      Complete\nFinCEN Query\n      Release 1                  2/28/2012          6/1/2012            7/20/2012      Complete\n      Release 2                  9/30/2012          10/1/2012           11/16/2012     Complete\nAdvanced Analytics\n      Release 1                  10/31/2010         10/31/2010          10/31/2010     Complete\n      Release 2                  4/30/2011          4/30/2011           4/30/2011      Complete\n      Release 3                  7/31/2012          9/1/2012            8/1/2012       Complete\n      SCIF3                      n/a                12/1/2012           11/9/2012      Complete\nRegister User Portal             3/31/2011          3/31/2011           3/31/2011      Complete\nIdentity/Access\nControl Management               3/31/2011          3/31/2011           3/31/2011      Complete\nBroker Information Exchange\n     314A,B Release 1            5/31/2011          5/31/2011           5/31/2011      Complete\n     314A,B Release 2 Phase 1    12/31/2012         4/1/2013            9/20/20134     Complete\n     314A,B Release 2 Phase 25   n/a                n/a                 3/28/20144     Complete\nAlerts                           9/30/2012          1/1/2013            1/4/2013       Complete\nBulk Data Dissemination\n      Release 1                  9/30/2011          3/1/2012            4/17/2012      Complete\n      Release 2                  6/30/2012          7/1/2012            10/16/2012     Complete\n\n\n\n\n                    FinCEN Completed the BSA IT Modernization Program Within               Page 17\n                    Budget and Schedule (OIG-14-048)\n\x0c                       Appendix 2\n                       Additional Background Information on BSA IT Mod\n\n\n\n\nTable 1. BSA IT Mod Project Schedule Status at June 30, 2014\n                                     Planned              Revised Planned      Actual              Project\n                                     Completion           Completion           Completion          Status at\n                                     Date at May          Date at June         Date at June        June\nProject                              20101                20112                2014                2014\nInfrastructure & Portal Security\nDevelop and Test                     9/30/2010            9/30/2010            9/30/2010          Complete\n     Release 1                       3/31/2011            3/31/2011            3/31/2011          Complete\n     Release 2                       9/30/2011            9/30/2011            9/30/2011          Complete\n     Release 3                       6/30/2012            n/a6                 n/a6               n/a7\nSource: OIG analysis of FinCEN documentation.\n1\n  The dates displayed were the initial planned completion dates when in May 2010, FinCEN began the design\n  and development of projects after receiving Office of Management and Budget approval.\n2\n  FinCEN submitted a baseline change request to the Treasury CIO to adjust selected project milestone\n  schedule dates and realign costs to keep the overall program on track. The baseline change was implemented\n  in June 2011.\n3\n  A sensitive compartmented information facility (SCIF) has formal access controls and is used to hold\n  information concerning or derived from intelligence sources, methods, or analytical processes, which was not p\n  was part of the June 2011 baseline change request.\n4\n  A baseline change was implemented in March 2013 which adjusted the schedule completion dates.\n5\n  Initially, Release 2 of the project was planned as one phase.\n6\n  Not applicable - The work planned for Infrastructure release 3 was removed from the project and will be\n  done as part of BSA IT Mod\xe2\x80\x99s on-going operations and maintenance.\n\n\n                        Funding of the BSA IT Mod\n\n                        The BSA IT Mod development was funded through $119.9\n                        million made available from FinCEN\xe2\x80\x99s annual Congressional\n                        appropriations and through supplemental funding from the\n                        Treasury Forfeiture Fund administered by the Treasury Executive\n                        Office for Asset Forfeiture (TEOAF). Table 2 displays funding\n                        from 2009 through 2013.\n\n                           Table 2: BSA IT Mod Development Funding Sources (in millions)\n                                                                          Treasury\n                           Fiscal            Congressional               Forfeiture\n                           Year              Appropriation                    Fund            Total\n                           2009                      $2.5                    $3.7             $6.2\n                           2010                      18.5                    11.7             30.2\n                           2011                      18.5                    11.5             30.0\n                           2012                      23.5                      6.5            30.0\n                           2013                      23.5                      0.0            23.5\n                             Total                  $86.5                   $33.4           $119.9\n                           Source: OIG analysis of FinCEN and TEOAF documentation.\n\n\n\n\n                       FinCEN Completed the BSA IT Modernization Program Within                         Page 18\n                       Budget and Schedule (OIG-14-048)\n\x0c                         Appendix 2\n                         Additional Background Information on BSA IT Mod\n\n\n\n\n                          Contractors Engaged by FinCEN\n\n                          In March 2008, FinCEN awarded a 5-year indefinite delivery,\n                          indefinite quantity (IDIQ) contract to BearingPoint, Inc., to\n                          support a full range of information technology services, custom\n                          applications, maintenance support, and infrastructure support\n                          necessary to implement the FinCEN IT operational objectives.\n                          Numerous task orders have been issued against the contract\n                          including those for the BSA IT Mod program. 19 The contract was\n                          subsequently transferred to Deloitte Consulting, LLP (Deloitte). 20\n                          The contract ceiling was $144 million with a minimum of\n                          $1 million over the contract\xe2\x80\x99s 5-year life. FinCEN also contracted\n                          with MITRE Corporation (MITRE) at a cost of approximately\n                          $2.1 million to provide management guidance, coordination, and\n                          evaluation support for BSA IT Mod. 21 MITRE is a subject matter\n                          expert on program and project management, and BSA IT Mod\n                          business capabilities.\n\n                          FinCEN is using the Treasury\xe2\x80\x99s Bureau of the Fiscal Service\n                          Administrative Resource Center for new contracting services\n                          related to BSA IT Mod. FinCEN had previously used the\n                          Acquisitions Services Directorate of the U.S. Department of the\n                          Interior as the contract office to administer the contract. FinCEN\n                          chose this office because of its prior experience handling large,\n                          complex procurements.\n\n\n19\n     An IDIQ contract provides for an indefinite quantity of services during a fixed period of time. This\n     type of contract is used when it cannot be predetermined, above a specified minimum, the precise\n     quantities of supplies or services that the government will require during the contract period. IDIQ\n     contracts are most often used for service contracts and architect-engineering services. An IDIQ\n     contract is flexible, especially when not all the requirements are known at the start of a contract and\n     is conducive to a modular approach, which would be one with phases or milestones.\n20\n     The IDIQ contract was transferred from BearingPoint, Inc. to Deloitte on October 1, 2009 after\n     Deloitte purchased substantially all of the assets of Bearing Point, Inc., Public Service Division.\n21\n     MITRE is a not-for-profit organization chartered to work in the public interest with expertise in\n     systems engineering, information technology, operational concepts, and enterprise modernization.\n     Among other things, it manages federally funded research and development centers, including one\n     for Internal Revenue Service (IRS) and U.S. Department of Veterans Affairs (the Center for Enterprise\n     Modernization). Under Treasury\xe2\x80\x99s existing contract with MITRE, Treasury and its bureaus, with\n     permission of the IRS sponsor, may contract for support in the following task areas: strategic\n     management, technical management, program and project management, procurement, and evaluation\n     and audit to facilitate the modernization of systems and their business and technical operation.\n\n\n\n                         FinCEN Completed the BSA IT Modernization Program Within                   Page 19\n                         Budget and Schedule (OIG-14-048)\n\x0cAppendix 2\nAdditional Background Information on BSA IT Mod\n\n\n\n\n FinCEN officials told us that Deloitte\xe2\x80\x99s 5-year IDIQ contract\n ended in March 2013; however, the Acquisitions Services\n Directorate allowed a 6-month extension to September 2013\n and allowed FinCEN to extend various task orders under the\n IDIQ contract. During the audit period, Deloitte completed\n development of the Broker Information Exchange and then\n stayed on to resolve system defects until the expiration of its\n task order on April 30, 2014. As of June 30, 2014, Deloitte\xe2\x80\x99s\n only remaining involvement with the BSA IT Mod program is as\n a subcontractor under NavStar, the infrastructure contractor.\n\n As of June 30, 2014, the current BSA IT Mod contracts in place\n are as follows:\n\n \xe2\x80\xa2   In September 2010, a contract was awarded to Universal\n     Consulting Services, Inc. for application service desk support.\n     It is a 6-month contract with five 1-year extensions. The\n     contract awards a minimum of $500,000 and has ceiling of\n     $23 million.\n\n \xe2\x80\xa2   In August 2013, a contract for BSA IT Mod network support\n     was awarded to NavStar, as a 2.5-year firm-fixed-contract.\n     The contract awards $2.064 million in the 6-month base year\n     and has a contract ceiling of $9.3 million. Deloitte\xe2\x80\x99s task\n     order under its IDIQ contract for network support ended in\n     September 2013.\n\n \xe2\x80\xa2   In September 2013, a contract for BSA IT Mod program\n     management support was awarded to Total Systems\n     Technologies Corporation, as a 3-year firm-fixed-price\n     contract. The contract awards $750,761 in the base year\n     and has a total contract ceiling of $2.279 million. Deloitte\n     continued its support program management during the\n     transition until the expiration of Deloitte\xe2\x80\x99s contract at the end\n     of December 2013.\n\n \xe2\x80\xa2   In November 2013, a contract for operations and\n     maintenance was awarded to Northrup Grumman. It is a 6-\n     month contract with three 1-year extensions with a total\n     value of $22,823,940.\n\n\n\nFinCEN Completed the BSA IT Modernization Program Within         Page 20\nBudget and Schedule (OIG-14-048)\n\x0cAppendix 3\nManagement Response\n\n\n\n\nFinCEN Completed the BSA IT Modernization Program Within   Page 21\nBudget and Schedule (OIG-14-048)\n\x0cAppendix 4\nMajor Contributors to this Report\n\n\n\n\nBoston Office\n\nMark Ossinger, Audit Manager\nKenneth O\xe2\x80\x99Loughlin, Audit Manager\nRichard Wood, Auditor\n\nWashington, D.C.\n\nLarissa Klimpel, Referencer\n\n\n\n\nFinCEN Completed the BSA IT Modernization Program Within   Page 22\nBudget and Schedule (OIG-14-048)\n\x0cAppendix 5\nReport Distribution\n\n\n\n\nDepartment of the Treasury\n\n   Deputy Secretary\n   Under Secretary for Terrorism and Financial Intelligence\n   Chief Information Officer\n   Office of Strategic Planning and Performance Management\n   Office of the Deputy Chief Financial Officer, Risk and Control\n       Group\n\nFinancial Crimes Enforcement Network\n\n   Director\n\nOffice of Management and Budget\n\n   OIG Budget Examiner\n\nU.S. Senate\n\n   Chairman and Ranking Member\n   Committee on Appropriations\n   Chairman and Ranking Member\n   Subcommittee on Financial Services and General Government\n   Committee on Appropriations\n\nU.S. House of Representatives\n\n   Chairman and Ranking Member\n   Committee on Appropriations\n\n   Chairman and Ranking Member\n   Subcommittee on Financial Services and General Government\n   Committee on Appropriations\n\n\n\n\nFinCEN Completed the BSA IT Modernization Program Within      Page 23\nBudget and Schedule (OIG-14-048)\n\x0c"